Hackers gained access to a central database used to store user names, email addresses, and one-way encrypted (“hashed”) passwords. In addition, the database contains information that users may have optionally added to their profiles such as phone number and Skype ID.
Slack uses bcrypt with a randomly generated salt per-password that according to Slack, “makes it computationally infeasible that your password could be recreated from the hashed form.” No financial data was compromised and so far, the company hasn’t found any evidence that the hackers were able to decrypt the stored passwords.
Two New Security Options
Slack has launched two new features for individuals and team owners to help increase security. The first is Two-Factor authentication. Slack has a detailed guide that explains how to configure 2FA for your account. When you enable 2FA, you’ll be prompted to enter a verification code in addition to your normal password whenever you sign in.
The second is a “Password Kill Switch” for team owners. The kill switch allows for instantaneous team-wide resetting of passwords and forced termination of all user sessions for all team members. This means that everyone is signed out of your Slack team, in all apps and on all devices.
Enable 2FA Where Possible
Users are highly encouraged to enable 2FA on Slack and on any other service that supports it. To learn more about Slack’s security principles, including how to report security vulnerabilities, check out their security page.